scispace - formally typeset
Search or ask a question
Author

Tapabrata Roy

Bio: Tapabrata Roy is an academic researcher from Indian Institute of Technology Madras. The author has contributed to research in topics: Stream cipher & Pseudorandom binary sequence. The author has an hindex of 2, co-authored 4 publications receiving 8 citations.

Papers
More filters
Journal ArticleDOI
TL;DR: This paper attacks full round Fruit by a divide-and-conquer method, which is equivalent to around 16.95 times faster than the average exhaustive key search, and works for the second version of Fruit.
Abstract: In FSE 2015, Armknecht et al. proposed a new technique to design stream ciphers, which involves repeated use of keybits in each round of the keystream bit generation. This technique showed the possibility to design stream ciphers where the internal state size is significantly lower than twice the key size. They proposed a new cipher based on this idea, named Sprout. But soon Sprout was proved to be insecure. In Crypto 2015, Lallemand et al. proposed an attack which was $$2^{10}$$ times faster than the exhaustive search. But the new idea used in Sprout showed a new direction in the design of stream cipher, which led to the proposal of several new ciphers with small size of internal state. Fruit is a recently proposed cipher where both the key size and the state size are 80. In this paper, we attack full round Fruit by a divide-and-conquer method. Our attack is equivalent to $$2^{74.95}$$ many Fruit encryptions, which is around 16.95 times faster than the average exhaustive key search. Our idea also works for the second version of Fruit.

7 citations

Journal ArticleDOI
TL;DR: An accurate computation of the attack complexities of the existing technique instead of the estimation used in previous works improves the complexity by some margin and suggests a method to increase the backward probability bias, which helps reduce the attack complexity.
Abstract: Salsa and ChaCha are well known names in the family of stream ciphers. In this paper, we first revisit the existing attacks on these ciphers. We first perform an accurate computation of the attack complexities of the existing technique instead of the estimation used in previous works. This improves the complexity by some margin. The differential attacks using probabilistic neutral bits against ChaCha and Salsa involve two probability biases: forward probability bias ( \begin{document}$ \epsilon_d $\end{document} ) and backward probability bias ( \begin{document}$ \epsilon_a $\end{document} ). In the second part of the paper, we suggest a method to increase the backward probability bias, which helps reduce the attack complexity. Finally, we focus on the design principle of ChaCha. We suggest a slight modification in the design of this cipher as a countermeasure of the differential attacks against it. We show that the key recovery attacks proposed against ChaCha will not be effective on this modified version.

4 citations

Journal ArticleDOI
TL;DR: In this paper, a hybrid inversive congruential generator (HICG) based on a second order recurrence using the inversive modulo M, a power of 2, was proposed.
Abstract: Though generating a sequence of pseudorandom numbers by linear methods (Lehmer generator) displays acceptable behavior under some conditions of the parameters, it also has undesirable features, which makes the sequence unusable for various stochastic simulations. An extension which showed promise for such applications is a generator obtained by using a first-order recurrence based upon the inversive modulo a prime or a prime power, called inversive congruential generator (ICG). A lot of work has been dedicated to investigate the periods (under some conditions of the parameters), the lattice test passing, discrepancy and other statistical properties of such a generator. Here, we propose a new method, which we call hybrid inversive congruential generator (HICG), based upon a second order recurrence using the inversive modulo M, a power of 2. We investigate the period of this pseudorandom numbers generator (PRNG) and give necessary and sufficient conditions for our PRNG to have periods M (thereby doubling the period of the classical ICG) and M/2 (matching the one of the ICG). Moreover, we show that the lattice test complexity for a binary sequence associated to (a full period) HICG is precisely M/2.

2 citations

Posted Content
TL;DR: The polynomial definition of a $\prod\limits_{i=1}^{n}\mathbb{Z}_{2^i}$-additive cyclic code of a certain length is given and a minimal spanning set for that is derived.
Abstract: In this paper we study $\prod\limits_{i=1}^{n} \mathbb{Z}_{2^i}$-Additive Cyclic Codes. These codes are identified as $\mathbb{Z}_{2^n}[x]$-submodules of $\prod\limits_{i=1}^{n}\mathbb{Z}_{2^i}[x]/ \langle x^{\alpha_i}-1\rangle$; $\alpha_i$ and $\rm{i}$ being relatively prime for each $i=1,2,\ldots,n.$ We first define a $\prod\limits_{i=1}^{n}\mathbb{Z}_{2^i}$-additive cyclic code of a certain length. We then define the distance between two codewords and the minimum distance of such a code. Moreover we relate these to binary codes using the generalized Gray maps. We define the duals of such codes and show that the dual of a $\prod\limits_{i=1}^{n}\mathbb{Z}_{2^i}$-additive cyclic code is also cyclic. We then give the polynomial definition of a $\prod\limits_{i=1}^{n}\mathbb{Z}_{2^i}$-additive cyclic code of a certain length. We then determine the structure of such codes and derive a minimal spanning set for that. We also determine the total number of codewords in this code. We finally give an illustrative example of a $\prod\limits_{i=1}^{n}\mathbb{Z}_{2^i}$-additive cyclic code.

Cited by
More filters
Book ChapterDOI
17 Oct 2021
TL;DR: In this article, the first explicitly derived linear approximations for 3 and 4 rounds of ChaCha were presented, which can be used to improve the complexity of the Differential-Linear attacks against the algorithm.
Abstract: In this paper, we present a new technique which can be used to find better linear approximations in ARX ciphers. Using this technique, we present the first explicitly derived linear approximations for 3 and 4 rounds of ChaCha and, as a consequence, it enables us to improve the recent attacks against ChaCha . Additionally, we present new differentials for 3 and 3.5 rounds of ChaCha that, when combined with the proposed technique, lead to further improvement in the complexity of the Differential-Linear attacks against ChaCha.

15 citations

Posted Content
TL;DR: The security of Grain-like small state stream ciphers by the fast correlation attack is studied and the attack matches the expected complexities predicted by the theoretical analysis quite well, which proves the validity of the cryptanalytic techniques.
Abstract: The fast correlation attack (FCA) is one of the most important cryptanalytic techniques against LFSR-based stream ciphers. In CRYPTO 2018, Todo et al. found a new property for the FCA and proposed a novel algorithm which was successfully applied to the Grain family of stream ciphers. Nevertheless, these techniques can not be directly applied to Grain-like small state stream ciphers with keyed update, such as Plantlet, Fruit-v2, and Fruit80. In this paper, we study the security of Grain-like small state stream ciphers by the fast correlation attack. We first observe that the number of required parity-check equations can be reduced when there are multiple different parity-check equations. With exploiting the Skellam distribution, we introduce a sufficient condition to identify the correct LFSR initial state and derive a new relationship between the number and bias of the required parity-check equations. Then a modified algorithm is presented based on this new relationship, which can recover the LFSR initial state no matter what the round key bits are. Under the condition that the LFSR initial state is known, an algorithm is given against the degraded system and to recover the NFSR state at some time instant, along with the round key bits. As cases study, we apply our cryptanalytic techniques to Plantlet, Fruit-v2 and Fruit-80. As a result, for Plantlet our attack takes 2 time complexity and 2 keystream bits to recover the full 80-bit key. Regarding Fruit-v2, 2 time complexity and 2 keystream bits are token to determine the secret key. As for Fruit-80, 2 time complexity and 2 keystream bits are required to recover the secret key. More flexible attacks can be obtained with lower data complexity at cost of increasing attack time. Especially, for Fruit-v2 a key recovery attack can be launched with data complexity of 2 and time complexity of 2. Moreover, we have implemented our attack methods on a toy version of Fruit-v2. The attack matches the expected complexities predicted by our theoretical analysis quite well, which proves the validity of our cryptanalytic techniques.

13 citations

Journal ArticleDOI
TL;DR: This paper theoretically explains the reason of a particular key bit of Salsa to be probabilistically neutral, the first attempt to provide a theoretical justification of the idea of differential key recovery attack against these two ciphers.
Abstract: Salsa and ChaCha are two of the most famous stream ciphers in recent times. Most of the attacks available so far against these two ciphers are differential attacks, where a difference is given as an input in the initial state of the cipher and in the output some correlation is investigated. This correlation works as a distinguisher. All the key recovery attacks against these ciphers are based on these observed distinguishers. However, the distinguisher in the differential attack was purely an experimental observation, and the reason for this bias was unknown so far. In this paper, we provide a full theoretical proof of both the observed distinguishers for Salsa and ChaCha. In the key recovery attack, the idea of probabilistically neutral bit also plays a vital role. Here, we also theoretically explain the reason of a particular key bit of Salsa to be probabilistically neutral. This is the first attempt to provide a theoretical justification of the idea of differential key recovery attack against these two ciphers.

9 citations

Journal ArticleDOI
01 Jul 2020
TL;DR: PudgyTurtle is a way to encode the plaintext in a keystream-dependent manner before encryption, which resists time-memory tradeoff attacks better than standard stream encryption.
Abstract: Stream cipher encryption works by modulo-2 adding plaintext bits to keystream bits, which are in turn produced by successively updating a finite-state machine initialized to a secret starting state PudgyTurtle is a way to encode the plaintext in a keystream-dependent manner before encryption Since it can use keystream from any stream cipher, PudgyTurtle functions somewhat like an encryption mode The process begins by generating successive 4-bit groups of keystream (‘nibbles’) until one of them matches the current plaintext nibble to within one bit The number of keystream nibbles required, as well as the nearness of this match, is then encoded into a variable-length codeword Finally, this codeword is encrypted by modulo-2 addition to an equal amount of keystream Compared to normal binary-additive stream ciphers, this process is less efficient (ie, more time is required to generate extra keystream nibbles, and more space is needed for the codewords than for the plaintext) However, with this cost comes a benefit: PudgyTurtle resists time-memory tradeoff attacks better than standard stream encryption

5 citations

Journal ArticleDOI
TL;DR: A parallel version of the ChaChA20 stream cipher, parallel ChaCha20, which is optimized for SW26010 heterogeneous multi-core processor on the Sunway TaihuLight supercomputer and has a good scalability and runs on 1024 core groups with a max throughput of 8296.43 GB/s.
Abstract: Data have always been the most valuable asset of enterprises and research institutions, and their confidentiality, especially the input and output data related to applications running on remote supercomputers, should be protected as much as possible. However, because of the large scale of the data, it takes a considerable amount of time to encrypt and decrypt them. The ChaCha20 cipher and the Advanced Encryption Standard (AES) cipher are the only ciphers supported by TLS v1.3. The ChaCha20 cipher is a kind of high-speed stream cipher emerging in recent years, which has attracted more and more attention due to its security and high efficiency. In order to make large-scale data en-/decryption more efficient, we implement a parallel version of the ChaCha20 stream cipher, parallel ChaCha20, which is optimized for SW26010 heterogeneous multi-core processor on the Sunway TaihuLight supercomputer. We used multiple optimization methods such as Direct Memory Access (DMA) and Single Instruction Multiple Data (SIMD) supported by SW26010 and proposed an optimization scheme that dynamically changes with the size of input data. The experiment results show that the parallel ChaCha20 has a maximum throughput of 32.43 GB/s on a single SW26010 processor, which is 2.4 times that of the best AES implementation on Sunway as far as we know. Moreover, the parallel ChaCha20 has a good scalability and runs on 1024 core groups with a max throughput of 8296.43 GB/s.

2 citations